Title: Nitesh Saxena
1- Nitesh Saxena
- Computer and Information Sciences
- University of Alabama at Birmingham
- Security and Privacy In Emerging Systems (SPIES)
group - http//spies.cis.uab.edu
- Center for Information Assurance and Joint
Forensics Research (CIAJFR) - http//thecenter.uab.edu/
2Outline
- Background
- What NFC is
- NFC Applications
- What all one could do with it
- NFC Attacks/Fraud
- What all can go wrong
- NFC Defenses
- How things could be fixed
3Outline
- Background
- What NFC is
- NFC Applications
- What all one could do with it
- NFC Attacks/Fraud
- What all can go wrong
- NFC Defenses
- How things could be fixed
4RFID System Overview
An RFID system usually consists of RFID tags and
readers and a back-end server. Tags are
miniaturized wireless radio devices that
store information about their corresponding
subject, such as a unique identification number.
Readers broadcast queries to tags in their
radio transmission ranges for information
contained in tags and tags reply with such
information.
reading signal
back-end database
ID
Reader
Tag
5 6Near Field Communication (NFC)
- NFC technology enables smart phones to have RFID
tag and RFID reader functionality - Phones can be used as payment tokens
- Next generation of payment system
- For example, Google Wallet App uses this function
- Already deployed in many places
- Just like RFID, it uses wireless radio
communication
7Outline
- Background
- What NFC is
- NFC Applications
- What all one could do with it
- NFC Attacks/Fraud
- What all can go wrong
- NFC Defenses
- How things could be fixed
8NFC Applications
9Google Wallet Vision
10NFC Applications
- Mobile Ticket Purchase Austrian Federal Railways
11NFC Applications
12Other Applications
- NFC at Museum of London
- Posters / Replacement to QR Codes
- Productivity (Phone Use Cases)
- Automatic Pairing with Bluetooth
- Connect to Wifi
- Make a Call/Text to a number
- Change settings automatically
- Check ins / Locations / Other social activity
- Open Apps
- SleepTrak (health monitoring)
- many many more
13Outline
- Background
- What NFC is
- NFC Applications
- What all one could do with it
- NFC Attacks/Fraud
- What all can go wrong
- NFC Defenses
- How things could be fixed
14The RFID Privacy Problem
15NFC Privacy Problem
- Should you worry?
- NFC is near field (one has to tap to read!)
- Yes, unfortunately
- Researchers have shown that it is possible to
eavesdrop NFC signals from a distance larger than
its typical communication range - Kortvedt-MjĂžlsnes 2009
16The NFC Privacy Problem
17The RFID Cloning Problem
Counterfeit!!
18The NFC Cloning Problem
19Relay Attack I Ghost-and-Leech
response
query
query
query
response
response
20Relay Attack II Ghost-and-Reader
Server
Variant of a Man-in-the-Middle attack
Drimer et al., 2007 demonstrated live on
Chip-and-PIN cards
Malicious Reader
Authentic Reader
Ghost
21Reader and Ghost Relay Attack
- Fake reader relays information from legitimate
NFC tag to Ghost - relays information from the legitimate tag to
fake tag - Ghost relays received information to a
corresponding legitimate reader - Happens simultaneously while user performs
transaction with legitimate NFC tag - But for a higher amount
- Impersonating a legitimate NFC tag without
actually possessing the device. - While at a different physical location
22NFC Malware Problem
Youtube video http//www.youtube.com/watch?featu
replayer_detailpageveEcz0XszEic
23Outline
- Background
- What NFC is
- NFC Applications
- What all one could do with it
- NFC Attacks/Fraud
- What all can go wrong
- NFC Defenses
- How things could be fixed
24The NFC Privacy Problem
25The NFC Cloning Problem
26Relay Attack I Ghost-and-Leech
response
query
query
query
response
response
27Selective Unlocking
- Promiscuous reading is to blame
- Currently, NFC supports selective unlocking via
PIN/passwords - Works in practice but passwords are known to have
problems especially in terms of usability - Our approach gesture-enabled unlocking
28Relay Attack II Ghost-and-Reader
Server
Variant of a Man-in-the-Middle attack
Drimer et al., 2007
Malicious Reader
Authentic Reader
Ghost
29Authentication is not Enough
- Alices device must authenticate the whole
transaction - So Alices phone knows that the reader charges
250 - But Alice doesnt
- The big screen on the malicious reader says 5
- Even if phone displays the correct amount, Alice
may not look at it - Or make a mistake due to rushing
30Our Approach Proximity Detection
- A second line of defense
- rather than relying upon the user
- Verify phone and reader are in same location
- Each device measures local data with sensor
- We use ambient audio
- Send authenticated data to server
- Server checks that the data is the same in both
measurements - Or at least similar enough
- Then approves the transaction
31Advantages of our Approach
- Does not require explicit user action
- Does not change traditional NFC usage model
- Extremely difficult for attacker to change
environnemental attributes - Geographical location not sent to server
- users location privacy is protected (unlike the
use of GPS coordinates) - Compatible with current payment infrastructure
32Implementation and Evaluation
- Sensor data collected by two devices in close
proximity - Capture audio from cell phones built-in
microphone (two Nokia N97 phones) - Recorded 20 consecutive segments from two sensors
simultaneously at different pairs of locations - At 5 different locations
33Detection Techniques
- Techniques based on time, frequency or both
- In both domains tested
- Euclidean distance between signals
- Correlation between signals
- Combined method frequency distance and
time-correlation - Best results achieved for combined time-frequency
based method
34Time-Frequency Distance Technique
- Our new Time-Frequency-based technique
- Calculating distance between two signals
- Calculate Euclidean distance between frequency
feature vectors - Calculate Time-based correlation between signals
- Distance defined as DC 1 - Correlation
- Both distances combined for classification
- Combined as a 2-D point in space
35Test Results
- Time-Frequency distance measure
Numbers are distance measured squared
36Detection Techniques
- Used simple classifier to detect samples taken at
the same locations - Simple-Logistics classifier from Weka
- 10-Fold classification
- Data divided into 10 groups, 9 used for training,
one for testing - Input to the classifier Time-Frequency distance
measure squared
37Results
- Our tests showed perfect classification
- False Accept Rate 0 and False Reject Rate 0
- High level of security and usability
38Comparison to Other Sensors
- Magnetometer tested, method to distinguish
location not found - Temperature not expected to vary much
- Therefore, overall audio gave most promising
results
39Conclusions from Proximity Detection
- Designed a defense for the Reader-and-Ghost
attack - Promising defense
- without changes to the traditional RFID usage
model - without location privacy leakage
- also applicable to sensor-equipped RFID cards
- Audio is a stronger signal compared to light
- More experiments are planned in the future
- Paper ESORICS Halevi et al. 2012
- Media Coverage Bloomberg, ZDNet, NFCNews, UAB
News, etc
40NFC Malware Problem
Youtube video http//www.youtube.com/watch?featu
replayer_detailpageveEcz0XszEic
41Malware Protection via Gestures
- Malware actions are software-generated
- Legitimate actions, on the other hand, are
human-generated - Human gestures will tell the OS whether an access
request is benign or malicious - Luckily, for NFC, a gesture that can work is
tapping - An explicit gesture could also be employed
42Tap-Wave-Rub (TWR) Gestures
- Phone Tapping
- accelerometer
- Waving/Rubbing/Tapping
- proximity sensor
- Waving
- light sensor
43TWR Enhanced Android Permissions
44Initial Results
Phone Tapping (accelerometer)
Tap/wave/rub (proximity sensor)
45Conclusions from TWR
- Initial results are promising
- The approach is applicable for protecting any
other critical mobile device service - SMS, phone call, camera access, etc.
- TWR gestures are also ideal for selective
unlocking
46Take Away from the Talk
- NFC is a promising new platform with immense
possibilities - However, a full deployment requires careful
assessment of security vulnerabilities and
potential fraudulent activities - Many vulnerabilities similar to RFID
- Except Malware a burgeoning threat to NFC
- Other attacks possible such as phishing via
malicious NFC tag - Security solutions need to be developed and
integrated with NFC from scratch - Research shows promise
- Phone is almost a computer so lot could be done
(unlike RFID) - User convenience or usability is an important
design metric when developing security solutions
47Acknowledgments
- Students the SPIES
- Jaret Langston, Babins Shrestha, Tzipora Halevi,
Jonathan Voris, Sai Teja Peddinti, Justin Lin,
Borhan Uddin, Ambarish Karole, Arun Kumar,
Ramnath Prasad, Alexander Gallego - Other Collaborators
- More info http//spies.cis.uab.edu
- http//spies.cis.uab.edu/research/rfid-security-an
d-privacy/ - Thanks!